Electronic commerce requires secure information security protocols to prevent fraud, e.g. based on impersonation of electronic identification data. In a completely electronic situation, it remains challenging to genuinely authenticate the actual identity of a remote party in an interactive session or a transaction.
This is so even with public key cryptography using X.509 security certificates, because the essence of this prevailing scheme, known as PKI, is delegation of trust bootstrapping to a certification authority which may not be better equipped than the electronic commerce operator in the first place. Also, the installation of client-side security certificates is error-prone and inconvenient for the end-user. Such installation procedures are so complex, e.g. including a request to a certification authority and the receipt of a security certificate in the end-user computer system, that they often appear remotely related to the critical requirement for end-user protection of his private key, a requirement which too often in practice becomes a secondary issue. The present invention aims notably at providing an electronic commerce operator a secure shortcut to strong client authentication while allowing clients to use conventional web browser software for interaction with the electronic commerce servers.
A while ago, the present inventor invented SAKEM, Secret Authentication Key Establishment Method, disclosed in U.S. Pat. No. 6,061,791, Moreau, Thierry, “Initial Secret Key Establishment Including for Verification of Identity”, issued on May 9, 2000, hereafter the SAKEM disclosure and included herein by reference. SAKEM is an improved client registration procedure envisioned for electronic commerce. The basic idea shared by SAKEM, a less elaborate registration procedure developed by V-One for VPN client registration (U.S. Pat. No. 5,784,463, Chen, James F., Wang, Jieh-Shan, “Token Distribution, and Dynamic Configuration of User Entitlement for an Application Level Security System and Method”, issued on Jul. 21, 1998 assigned to V-One Corporation), hereafter the V-One disclosure, and other schemes referenced in the SAKEM disclosure, is the establishment of a long-term symmetric key using public key cryptography at the establishment phase, with more or less elaborate provisions for client authentication. Nowadays however, authenticated symmetric secret key usage seems limited to VPNs, e.g. with IPsec VPNs. The leading SSL and TLS software implementations offer no or limited support of the symmetric key variant of the leading Internet security protocol, i.e. TLS-PSK for Transport Layer Security with Pre-Shared Key.
Thus, the abovementioned client registration procedures bootstrap a type of key material which is of little use with the security techniques implemented in prevailing web browser software. On the other hand, the client security certificate capability found in browser software is seldom used, leaving the bulk of electronic commerce security to password-based client authentication.
In situations where an electronic commerce operator needs stronger authentication, client security certificate, perhaps implemented in physical security tokens instead of a software-only solution, is the most readily available option. Actually, it is not the certificate management capability that is securing electronic commerce, but the client computer system potential for preserving the client private key secrecy. The trust in the corresponding client public key may be based on security certificates as consistently taught by the prior art. Other options are desirable, preferably with seamless integration in existing software.